Re: [COFF] Other OSes?

On Tue, Jul 10, 2018 at 1:30 AM Bakul Shah <bakul(a)bitblocks.com> wrote: In many ways, capabilities do the same thing: by not being able to name a resource, I cannot access it. _A_ way to think of plan9 style namespaces are as objects, with the names of files exposed by a particular filesystem being operations on those objects (I'm paraphrasing Russ Cox here, I think). In the plan9 world, most useful resources are implemented as filesystems. In that sense, not only does a particular namespace present a program with the set of resources it can access, but it also defines what I can do with those resources. Capabilities control what you can do with such an object. Cap I disagree. By way of example, I again reiterate the question I've asked several times now: there's a capability in e.g. Capsicum to allow a program to invoke the connect(2) system call: how does the capability system allow me to control the 5 tuple one might connect(2) to? I gave an example where, in the namespace world, I can interpose a proxy namespace that emulates the networking filesystem and restrict what I can do with the network. A cap is much like a file descriptor but it doesn't have to be So in other words, "buffer" is a name of an object and by being able to name that object, I can do something useful with it, subject to the limitations imposed by the object itself (e.g., `read(fd, buffer, count);` will fault if `buffer` points to read-only memory). You can even think of a cap as a "promise" -- you can perform Similarly to the way that the existence of a file name in a process's namespace is in some ways a promise to be able to access some resource in the future. It's an aside, but it's astonishing to see how that's been bastardized by the use of ioctl() for such things in the Linux world. - Dan C.